Change Healthcare Fixes Vulnerability

Monday, October 8, 2018 @ 10:10 AM gHale

Change Healthcare has a patch to mitigate an information exposure through an error message vulnerability in its PeerVue Web Server, according to a report with NCCIC.

Successful exploitation of this vulnerability, discovered by Dan Regalado of Zingbox, could allow an attacker to obtain technical information about the PeerVue Web Server, allowing an attacker to target a system for attack.

PeerVue Web Server all versions up to 7.6.2 suffer from vulnerability that is exploitable on an adjacent network.

This vulnerability results from improper error handling in HTTP-based communications with the server, which could allow an attacker to obtain technical information.

CVE-2018-10624 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.3.

The product sees use in the healthcare and public health sectors. It also sees action on a global basis.

No known public exploits specifically target this vulnerability, but information regarding this vulnerability has been publicly disclosed. An attacker with low skill level could leverage the vulnerability.

Change Healthcare released a patch to remediate the reported vulnerability. Users should contact the Change Healthcare Support team for information regarding the patch.